• Freelance Work at Height and Lifting Instructor.

    There are currently three active cavers working with SpanSet as Freelance Work at Height and Lifting Instructors – are you interested in joining them?

    Due to the continued expansion of our busy Training Department, we are always looking for freelance Instructors to join our team delivering training at our head office in Middlewich and at clients sites throughout the UK.

    Click here for details

Personal data breach

aricooperdavis

aricooperdavis

Moderator
The BCRA have been made aware of a personal data breach in which some personal information of BCRA members was accidentally made publicly accessible. The BCRA are working to reduce the impact of the breach, and are aware of their responsibilities under UK GDPR regarding managing and reporting the breach.

To minimise impact to data subjects please refrain from directly discussing where this personal data may still be accessible. If you wish to disclose this directly to the BCRA please do so to it-manager@bcra.org.uk.

Note: I am not involved with IT at the BCRA, but am passing on a message. A previous thread on this subject has been deleted by request of the OP.
 
It's possible that the data may have included personal information of some BCA Direct Individual Members (apart from those who are also BCRA members). BCA are in contact with BCRA to understand the extent of the breach and ensure appropriate reporting.
 
Can anyone tell me what a personal data breach might mean for people involved?
 
So far as I know, in this case, it might be a persons full name, postal address and the email address they use for Paypal, but that will need to be confirmed by BCRA.
 
So I’m not subscribed to BCRA but I pay my DIM fee to BCA and I just found my details out there in this breach.
 
Edwardov, were you able to access the details or did you just see the entry in the search findings but the link led to a 404?
 
I just searched for only my name, and my full name, home address and email address appeared in the list of search results. So I assume the full dataset has been cached and can be retrieved by the search, even if the live version is currently dead.
 
Just tried for some people I know (BCA only, no BCRA subscription) using only their names, and full name, home address and email address appeared in the results. Interestingly some of the instances were dated back to January 2023 (likely renewal related). So this has been going on a while in the background I’d imagine where everything is now cached and accessible.

So this may apply to all historical members, not just current members.
 
Last edited:
Whilst not good, it is unlikely to be a useful source for hackers, as far too small a database to be of interest and most of that info will be available elsewhere.
 
I tried searching for my name this afternoon when this was first announced, and again just now, with both Google and Duck Duck Go, and although my name comes up a lot in relation to articles and activities, none of it has been BCRA-related, nor have I seen my personal details displayed anywhere, either now, or this afternoon. I have been on the internet for decades though, so maybe it's a volume thing?
 
Unfortunately getting Google to delist things often takes days. That request has been made, so we'll have to wait for it to be actioned.

The relative risk for this sort of data breach is generally considered to be quite low. The main risk is probably phishing, which I'm sure those investigating will be working to mitigate as best they can. If I were the DPO investigating I'm not sure it would meet the criteria for reporting to the ICO, although I don't know all the details.
 
It's now been confirmed that the data set that was accessible includes all BCA DIMs who paid by Paypal for 2024 or 2023, and only included name, postal address and email address - no passwords or bank details. There's no evidence so far that the whole data set was downloaded, although it may have been. The source document was removed at 12:45 today and the search hits that people are finding since then are the data in the search engine cache, which are specific to the term searched for - so there's no way anyone can have downloaded the whole data set since it was taken down. It may not be wise for people to search for their names; search engine algorithms tend to rank things higher if they have been searched for. As above, steps are in hand to get that cached data removed.

The main risk is that the data could be used for phishing, that is, impersonating a trusted organisation in order to obtain more sensitive information, so people who might be affected should be alert to that possibility.
 
Since the move to electronic membership cards, is the processing of home address for everyone still justifiable under GDPR?
 
Many BCRA members will need to give their home address to receive journals or for gift aid processing.

I believe the BCA needs them so that in the event of an insurance claim an individual can be reliably identified by the insurers as being a BCA member and therefore being covered by the PLI scheme. I can't remember where I got that from, and it's been a while since I was involved, so I could be wrong.
 
I was going to say the same as Ari, whilst BCA no longer posts anything to member's postal addresses I believe we need postal addresses so we can satisfy ourselves, our insurers and others that we are able to identify our membership.

We don't insist on email addresses or date of birth data - so postal addresses are needed to identify members.

For example I had a phone call from the police the other day, they wanted to check someone applying for an acquire and keep license was a BCA member. They gave me first and last name. We had three BCA members with the same first and last name. I asked for more details and we used postal address to confirm which of our members it was, so we could assure the police force involved they are a current BCA member.
 
BCA have now completed their assessment of the data breach and will be emailing the members whose details were on the list and so may have been revealed. The content of the email will be as below:

Dear Member

On July 1, the BCA and BCRA became aware that some personal data was exposed to the public via the internet. This was investigated immediately and rectified within the hour. It is likely that the data was visible for some weeks, possibly from the beginning of May. We are writing to you because some of your personal information was included in this data. We do not believe this will have serious consequences but we want to make you aware of it.

The exposed data is from a summary of membership payments made via Paypal for BCA's DIM members since 2020. It includes only name, email address, postal address, a Paypal identifier and the amount paid. It does not include any passwords, card numbers, dates of birth or other sensitive information.

The BCA is registered with the Information Commissioner’s Office and we have taken informal advice from them about how we should manage the incident. Based on the information we gave them, which is the same as we’re providing to you in this email, they agreed that it’s not serious enough to require us to formally report it to them. We are, however, keeping a detailed record of how it occurred, what we’ve done and the steps we’re taking to avoid anything similar happening in future.

The data was exposed as the result of an accident and not by malicious action. If it had been the result of a malicious attack, it would be likely to be in the hands of criminals with an intent to misuse it. This would only be the case here if they had happened to carry out a search, using Google or a similar search engine, for some of the information. We believe this is unlikely.

If, however, your data has come into the hands of a malicious person, they might deduce that you had a connection to the BCA or BCRA and attempt to ‘phish’ for more of your information.

Therefore, please be aware of the possibility of phishing emails purporting to come from the BCA or BCRA, perhaps referring to a membership payment and asking for personal details such as a bank account number or password. Neither the BCA nor BCRA will do this.

We are, however, moving to a new membership system managed on our behalf by JustGo. You can verify that this message is genuinely from BCA by checking for a similar message on our website at https://british-caving.org.uk/data-breach-dims/

Phishing emails are particularly dangerous on phones where it is not always possible to see the true address of a web site you are being asked to visit. You always need to be vigilant and aware of possible phishing attacks. For more information on phishing see the UK National Cyber Security Centre’s website https://www.ncsc.gov.uk/collection/phishing-scams/spot-scams

BCA and BCRA sincerely apologise for any trouble caused. If you have any concerns or questions please contact the BCRA or BCA at secretary@bcra.org.uk or dataprotection@british-caving.org.uk.

Chris Bolton
BCA Treasurer
Acting Data Protection Officer
Click to expand...
 
Oh no, Chris, I bet this was not one of the first things you were expecting to have to deal with as the newly elected BCA Treasurer :oops:

Nor do I imagine you were expecting to become the BCA's Acting Data Protection Officer... did you draw the short straw?

Nonetheless, an impressive and comprehensive response, put together very quickly indeed (presumably with help from others too including Ari and Katie who's support to BCA has been outstanding). I suspect there are large companies with paid employees who would not deliver such prompt and proactive action. If this is a sign of the competence of our new BCA team, then I am very hopeful for the future.
 
You must log in or register to reply here.

Similar threads

Dave Shearsmith
BCRA NEWSLETTER MAY 2025
Replies
0
Views
189
Dave Shearsmith
Dave Shearsmith
Dave Shearsmith
BCRA NEWSLETTER JUNE 2025
Replies
0
Views
177
Dave Shearsmith
Dave Shearsmith
Dave Shearsmith
BCRA NEWSLETTER FEBRUARY 2025
Replies
0
Views
384
Dave Shearsmith
Dave Shearsmith
Dave Shearsmith
BCRA NEWSLETTER JUNE 2024
Replies
0
Views
447
Dave Shearsmith
Dave Shearsmith
Dave Shearsmith
BCRA NEWSLETTER MARCH 2025
Replies
0
Views
308
Dave Shearsmith
Dave Shearsmith
Back
Top